Secure websites are insecure – ask Firesheep

Post navigation

An independent software developer in the USA has started his own campaign to push website operators towards encryption everywhere – or, at least, whenever it matters, which turns out to be a lot of the time.

Well-meaning websites use secure http, or https, at least during the login stage. This is vital, since it protects the username and password you submit. Once you have logged in, the site sets a browser session cookie which is unique to your login session.

Using a cryptographic hash tied both to your account details and to a random server-generated session key means that no-one can predict the value of this cookie in advance.

The cookie therefore very conveniently acts as a temporary access ticket to your account, so you don’t need to resubmit your login information on every page. Cookies are needed for this purpose because http is, by design, a stateless protocol. Each request from client to server is considered to be independent of all other requests, so some sort of repeatable authentication token is needed to denote that a series of requests belongs to an individual session.

So far, so good.

But many websites take the easy way out once your session cookie is set, reverting to regular, unencrypted http for the rest of your session. After all, your username and password are not needed again, so the need for encryption has passed. Right?

Wrong.

Reverting to insecure traffic brings its own intractable security problem. It exposes all of the rest of your session to interception, including the session cookie, which is transmitted in the headers of every http request to the site.

Slightly oversimplified, therefore, attackers who can sniff network packets from your PC can extract your website session cookie from the intercepted data, duplicate that cookie in their own browsers, and connect to that website as if they were you. And this sort of interception is easy – trivial, in fact – when you are connecting over an unsecured Wifi network. These are common in areas where WiFi access is provided for free.

Eric Butler’s Firesheep plugin for the Firefox browser implements exactly this attack to allow automated live hijacking of Facebook and Twitter logins, amongst others. This sort of attack is colloquially called sidejacking, for rather obvious reasons.

You can debate the morality of Butler’s open publication and promotion of his session-hijacking software all you like, but he makes a clear and important point. (Just don’t access anyone else’s account with his software, even for fun.)

Many websites, notably those which allow you to access and use any sort of personalised information, or to perform online activities for which you might be held accountable, are shortchanging you by using https only at the start of your session. They should use secure http throughout, protecting both the personal data you choose to upload and download, and the authentication token they use to identify you.

There are some reasonable exceptions to full-time https – for example if a site uses a login merely to limit access to its own unpersonalised intellectual property, such as software downloads or news articles. In general, however, an SSL login should be followed by an SSL session.

The traditional excuse for not using encryption everywhere is that SSL, the cryptographic layer of https, is “expensive”. There are two brisk reponses to that.

Firstly, so what? It’s cheaper to avoid any form of security for your customers. But no-one would accept that. So why should they accept half-baked security, either?

Secondly, says who? Google claims it has enabled https for all aspects of its Gmail service without adding any extra processing power.

This sort of boast from Google can be taken with a small pinch of salt – after all, Google is adding processing power and organisational smarts to its network to improve everything all the time – but it backs up the claim by explaining what it did.

Post navigation

4 comments on “Secure websites are insecure – ask Firesheep”

This is one of the reasons I was so disappointed by mozilla's decision to make unsigned ssl certificates so bloody difficult to use. https for secure transactions versus https for secure validated transactions should be differentiated. In general http is to the https what telnet is to ssh. Indeed, there is no such thing as a validated ssh session, but the vast majority of users consider this method of remote access to be completely secure.

If Firefox encounters an unsigned or invalid SSL certificate, you click "I understand the risks", then the "Add Exception…" button, then "Confirm Exception" button (the "permanently store exception" is checked by default if you find this irritating and don't want to see it again for that site).

Three mouse clicks… what so difficult about that?

So you'd prefer that identity spoofing be allowed without warning the user? If shame is to be applied anywhere it's not on Mozilla. You are wrong.

“code is a form of speech, and the freedom of speech must remain protected.” (As it happens, I don’t disagree.)”

i certainly do. people don’t talk to each other in code.
code is designed to make software which performs functions.
from calculating launch trajectories for space craft to measuring medication needs for patients in hospitals to facilitating silly arguments on the internet in chat rooms to launching ICBM’s and destroying life as we know it.

should that all be ‘free’?
there is no such thing as free speech as it is commonly bandied about. you can’t libel someone, give away state and military secrets if you work for the pentagon, post someone’s name and adress on the internet and call them a pedophile (a federal offense in most countries).

and beyond that WHY is ‘free speech’ so laudible over and above the right of people to live in safety and peace, unmolested by some of the violent and deranged individuals who wish harm on others for whatever reason they choose (plenty of examples of that)

freedom of speech isn’t a ‘right’ that precludes and overrides all others. that’s an invention of hollywood and spoilt brats with ADD who think it’s amusing to harass people anonymously over the internet and in some cases drive them to suicide.

Freedom in this country means, “Freedom to do anything that does not encroach on other people’s rights to freedom.”

You can’t murder somebody because that violates their rights to life, liberty, and the pursuit of happiness.

Freedom of Speech means you can say anything you want as long as it does not violate the rights of others. Freedom of Speech does not give you the right stalk/harass other people, because that encroaches on THEIR rights to life, liberty and the pursuit of happiness. You can’t give away military secrets because that violates the rights of the government body that we the people gave to it so it could do it’s job.

Freedom of Speech is a valuable right that thousands of our forefathers died for, a valuable right that many people on this earth still don’t have. It’s often misunderstood and under-valued by those who never had to learn what it’s really worth.